[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Secure legacy authentication for IKEv2
At 7:18 PM -0500 12/20/02, David Jablon wrote:
>The "clean separation" to which you refer merely insures that the quality
>of the initial DH key can *never* be improved or strengthened by the quality
>of the client authentication method. Got a password-authenticated key?
>Just throw it away. Yep, it's clean all right.
The same argument goes for IKEv2's authentication. Are you saying
that we should change the key derivation for IKEv2 itself to include
material from those authentication methods? If so, please suggest
text so the cryptographers can analyze it.
The current IKEv2 draft has:
SKEYSEED = prf(Ni | Nr, g^ir)
{SK_d, SK_ai, SK_ar, SK_ei, SK_er}
= prf+ (SKEYSEED, Ni | Nr | CKY-I | CKY-R)
What is your proposal for improving this in a provably secure way?
--Paul Hoffman, Director
--VPN Consortium